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^^ ■ Abstract 

^H ■ We present an affine-intuitionistic system of types and effects which can 

l^-N ' be regarded as an extension of Barber-Plotkin Dual Intuitionistic Linear 

, Logic to multi-threaded programs with effects. In the system, dynamically 

^~i ■ generated values such as references or channels are abstracted into a finite 

Q^ ' set of regions. We introduce a discipline of region usage that entails the 

l_J , confluence (and hence determinacy) of the typable programs. Further, we 

J ' show that a discipline of region stratification guarantees termination. 

1 Introduction 

• ^ ■ There is a well-known connection between intuitionistic proofs and typed func- 

rf-\ I tional programs that goes under the name of Curry-Howard correspondence. 

OO ' Following the introduction of linear logic [S], this correspondence has been re- 

^D \ fined to include an explicit treatment of the process of data duplication. Vari- 

ly^ . ous formalisations of these ideas have been proposed in the literature (see, e.g., 

^^ ' [21 m [T71 [ini [2] ) and we will focus here in particular on Affine-Intuitionistic Logic 

^^ . and, more precisely, on an affine version of Barber-Plotkin Dual Intuitionistic 

. . ' Linear Logic (DILL) as described in [5]. 

^ . In DILL, the operation of A-abstraction is always ajjine, i.e., the formal 

parameter is used at most once. The more general situation where the formal 

parameter has multiple usages is handled through a constructor '!' (read bang) 

C^ I marking values that can be duplicated and a destructor let filtering them and 

effectively allowing their duplication. Following this idea, e.g., an intuitionistic 
judgement ([T]) is translated into an afhne-intuitionistic one ^ as follows: 

y: A\- \x.x{xy) : [A -^ A) -^ A (1) 

y : (cx), A) h Ax. let !z = x in z\{z\y) : \{\A -o A) -o A (2) 

Wc recall that in DILL the hypotheses are split in two zones according to their 
usage. Namely, one distinguishes between the affine hypotheses that can be 
used at most once and the intuitionistic ones that can be used arbitrarily many 
times. In our formalisation, we will use '1' for the former and 'oo' for the latter. 
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1.1 Motivations 

Our purpose is to explore an extension of this connection to multi-threaded pro- 
grams with effects. By extending the connection, we mean in particular to design 
an afBne-intuitionistic type system that accounts for multi-threading and side 
effects and further to refine the system in order to guarantee confluence (and 
hence determinism) and termination while preserving a reasonable expressive 
power. By multi-threaded program, we mean a program where distinct threads 
of execution may be active at the same time (as it is typically the case in 
concurrent programs) and by effect, we mean the possibility of executing oper- 
ations that modify the state of a system such as reading/writing a reference or 
sending/receiving a message. We stress that our aim is not to give a purely log- 
ical interpretation of multi-threading and side-effects but rather to apply logical 
methods to a multi-threaded programming language with side-effects. 

1.2 Contributions 

We will start by introducing a simple-minded extension of the purely functional 
language with operators to run threads in parallel while reading/writing the 
store which is loosely inspired by concurrent extensions of the ML program- 
ming language such as [8] and [18j with an interaction mechanism based on 
(asynchronous) channel communication. In particular, we rely on an opera- 
tor get(a;) to read a value from an address (channel) x and on two operators 
set(x, V) and pset(a;, V) to write a value V into an address x, in a volatile (value 
read is consumed) or persistent (value read is still available) way, respectively. 

Following a rather standard practice (see, e.g., [15l[20|), we suppose that 
dynamically generated values such as channels or references are abstracted into 
a finite number of regions. This abstraction is reflected in the type system 
where the type of an address depends on the region with which the address is 
associated. Thus we write Reg,,^ for the type of addresses containing values 
of type A and relating to the region r of the store. Our first and probably 
most difficult contribution, due to the interaction of the bang modality '!' with 
regions, is to design a system where types and usages arc preserved by reduction. 

The resulting functional-concurrent typed language is neither confiucnt nor 
terminating. However, it turns out that there are reasonable strategies to re- 
cover these properties. The general idea is that confluence can be recovered 
by introducing a proper discipline of region usage while termination can be 
recovered through a discipline of region stratification. 

The notion of region usage is reminiscent of the one of hypotheses usage 
arising in affine-intuitionistic logic. Specifically, we distinguish the regions that 
can be used at most once to write and at most once to read from those that can 
be used at most once to write and arbitrarily many times to read. 

The notion of region stratification is based on the idea that values stored in 
a region should only produce effects on smaller regions. The implementation 
of this idea requires a substantial refinement of the type system that has to 
predict the effects potentially generated by the evaluation of an expression. 



This is where type and effect systems, as introduced in [T5], come into play. 

It turns out that the notions of region usage and region stratification com- 
bine smoothly, leading to the definition of an afhne-intuitionistic system of types 
and effects. The system has afhne-intuitionistic logic as its functional core and 
it can be used to guarantee the determinacy and termination of multi-threaded 
programs with effects. We stress that the nature of our contribution is mainly 
methodological and that more theoretical and experimental work is needed to 
arrive at a usable programming language. One promising direction is to add 
inductive data types and to extend the language to a synchronous/timed frame- 
work (cf. [11 E]). In this framework, both confluence (determinism) and termi- 
nation are valuable properties. 

1.3 Related Work 

Girard, through the introduction of linear logic [9], has widely promoted a finer 
analysis of the structural rules of logic. There have been various attempts at 
producing a functional programming language based on these ideas and with a 
reasonably handy syntax (sec, e.g., [3l EJ [171 [El [2])- The logical origin of the 
notion of usage can be traced back to Girard's LU system |10] and in particular 
it is adopted in the Barber-Plotkin system [5] on which we build on. 

A number of works on type systems for concurrent languages such as the 
TT-calculus have been inspired by linear logic even though in many cases the 
exact relationships with logic are at best unclear even for the fragment without 
side-effects. The conditions to guarantee confluence are inspired by the work of 
Kobayashi et al. [14j and one should expect a comparable expressive power (see 
also [13l[T2] for much more elaborate notions of usage). 

It is well known that intuitionistic logic is at the basis of typed functional 
programming. The type and effect system introduced in [15j is an enrichment of 
the intuitionistic system tracing the effects of imperative higher-order programs 
acting on a store. The system has provided a successful static analysis tool 
for the problem of heap-memory deallocation [20j . More recently, this issue has 
been revisited following the ideas of linear logic [23l [7] . 

The so called reducibility candidates method is probably the most important 
technique to prove termination of typablc higher-order programs. Extensions 
of the method to 'functional fragments' of the 7r-calculus have been proposed, 
e.g., in [231 [TO]. Boudol [Bj has shown that a stratification of the regions guar- 
antees termination for a multi-threaded higher-order functional language with 
references and cooperative scheduling. Our formulation of the stratification 
discipline is actually based on [1] which revisits and extends |6]. 

1.4 Structure of the Paper 

Section [2 introduces an affine-intuitionistic system with regions for a call-by- 
valuc functional-concurrent language. Section [31 introduces a discipline of region 
usage that guarantees confluence of the typable programs. Section [H enriches 
the affine-intuitionistic system introduced in Section [2l with a notion of effect 



x,y, . . . (Variables) 

V ::= * I a; I Xx.M \ \V (Values) 

M :■= V I MM I IM \ let \x ^ M \n M \ vx M 

set(x, V) I pset(a-, V) \ get(x) | (M | M) (Terms) 

S ::= {x^V)\{x-^ V) \ {S \ S) (Stores) 

P ::= A/ I 5 I (P I P) I jyx P (Programs) 

E ::= [ ] I £'M \VE\IE\ let !a; = £■ in M (Evaluation Contexts) 

C ::= n I (C I P) I (P I C) I i/a; C (Static Contexts) 

Table 1: Syntax: programs 

which provides an upper bound on the set of regions on which the evaluation of 
a term may produce effects. Finally, Section [5] describes a discipline of region 
stratification that guarantees the termination of the typable programs. Proofs 
of the main results are available in Appendix El 

2 An Affine-Intuitionistic Type System with Re- 
gions 

We introduce a typed functional-concurrent programming language equipped 
with a call-by-value evaluation strategy. The functional core of the language 
relies on Barber-Plotkin's DILL. In order to type the dynamically generated 
addresses of the store, we introduce regions and suitable notions of usages. The 
related type system enjoys weakening and substitution and this leads to the 
expected properties of type preservation and progress. 

2.1 Syntax: Programs 

Table [1] introduces the syntax of our programs. We denote variables with 
x,y, . . ., and with V the values which are included in the category M of terms. 
Stores are denoted by 5*, and programs P are combinations of terms and stores. 
We comment on the main operators of the language. * is a constant inhabit- 
ing the terminal type 1 (see below). Xx.M is the affine abstraction and MM 
the application. ! marks values that can be duplicated while let !a; = Af in A^ 
filters them and allows their multiple usage in N. In vx M the operator v 
generates a fresh address name x whose scope is M. set(x, V) and pset(a::, V) 
write the value ^ in a volatile address and a persistent one, respectively, while 
get(a::) fetches a value from the address x (either volatile or persistent). Finally 
(M I TV) evaluates in parallel M and N. Note that when writing either Xx.M, 
or i/x M, or let \x = N ir\ M the variable x is bound in M. As usual, we 
abbreviate {Xz.N)M with M; A^, where z is not free in A^. Evaluation contexts 
E follow a call-by-value discipline. Static contexts C are composed of parallel 



composition and v's. Note that stores can only appear in a static context. Thus 

M = F(set(a;, V); V") is a legal term while M' = V{V" \ {x ^ V)) is not. 

2.2 Operational Semantics 

Table [2] describes the operational semantics of our language. Programs are 
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E[set{x, V)] 


-> 


^M 1 (-^ ^ 
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E[pset{x, V)] 


-> 


^M 1 (^ ^ 


V) 


E[get{x)] 1 {x ^ V) 


-^ 


i^m 




E[get{x)] 1 {x ^ \V) 


-> 


£;[!F] 1 (.T <= \V) 



Table 2: Operational semantics 

considered up to a structural equivalence = which is the least equivalence relation 
preserved by static contexts, and which contains the equations for a-renaming, 
for the commutativity and associativity of parallel composition, for enlarging the 
scope of the u operators to parallel programs, and for extracting the v from an 
evaluation context. We use the notation \V/x\ for the substitution of the value 
V for the variable x. The reduction rules apply modulo structural equivalence 
and in a static context C. 

Example 1. 

The programs ([3]) and ([4]) are structurally equivalent (up to some renaming): 

{{vx \y.M){vx' \x'.M'))V \ P (3) 

vx vx' {{Xy.M){Xy'.M'))V \ P (4) 

This transformation exposes the term E[{Xy.M){Xy' .M')] in the static context 
C = vx vx' []\ P, where the evaluation context £■ is []V . 

In the sequel we consider the transitive closure of the relation defined by 
Table 2, also denoted — !-. 

Remark 1. Notice that the let rule and the get rule on a persistent store act 
similarly in the sense that they require the value being duplicated to be marked 
with a bang, while the afhne /3 rule and the get rule on a volatile store allow to 
manipulate affine values. 



r,r' , 




(Regions) 


a : 


:= 'B\A 


(Types) 


A : 


:= l\A^a\\A\ Reg,,^ 


(Value- types) 


r : 


:= xi : (ui,Ai),...,x„ : (u„,A„) 


(Contexts) 


R : 


:= ri : (C/i,Ai),...,r„ : (C/„,A„) 


(Region contexts) 



Table 3: Syntax: types and contexts 



2.3 Syntax: Types and Contexts 

Table [3] introduces the syntax of types and contexts. We denote regions with 
r, r', . . . and we suppose a region r is either volatile (V(r)) or persistent {V(r)). 
Types are denoted with «,«',.-•• Note that we distinguish a special behaviour 
type B which is given to the entities of the language which are not supposed 
to return a value (such as a store or several values in parallel) while types of 
entities that may return a value are denoted with A. Among the types A, we 
distinguish a terminal type 1, an affine functional type A —o B, the type \A 
of terms of type A that can be duplicated, and the type Reg^j4 of addresses 
containing values of type A and related to the region r. Hereby types may 
depend on regions. 

Before commenting on variable and region contexts, we need to define the 
notion of usage. To this end, it is convenient to introduce a set with three values 
{0, 1, oo} and a partial binary operation ttl such that 



xttiO = 


= X 


OW.T = 


- X 


ttl CX) = 


- CX) 



and which is undefined otherwise. 

We denote with u a variable usage and assume that u is either 1 (a variable 
to be used at most once) or cx) (a variable that can be used arbitrarily many 
times). Then a variable context (or simply a context) T has the shape: 

xi : (ui, Ai),...,a-„ : (u„, A„) 

where Xi are distinct variables, u,; £ {l,oo} and Ai are types of terms that 
may return a result. Writing x : (m, A) means that the variable x ranges on 
values of type A and can be used according to u. We write dom(T) for the 
set {xi, . . . ,Xn} of variables where the context is defined. The sum on usages 
is extended to contexts component- wise. In particular, if x : {ui,A) £ Fi and 
X : {u2, A) G T2 then x : (wi l±) U2, A) G (Fi l±) F2) only if ui l±) U2 is defined. 

Example 2. 

One may check that the sum: 

{x : {l,A),y: {00, B)) W {y : (oo,B),z : (1,C)) 



is equal to 

a;:(l,A),y:(oo,B),z:(l,C) 

whereas these two are not defined: 

ix:{l,A),y:i^,B))^y:{l,B) 
(x:(l,A),2/:(l,B)Wy:(l,B) 

We are going to associate a usage with regions too, but in this case a usage 
will be a two dimensional vector because we want to be able to distinguish write 
and read usages. We denote with U an element of one of the following three 
sets of usages: 

{[cx),cx)]} {[l,oo],[0,oo]} {[0,0], [1,0], [0,1], [1,1]} 

where by convention we reserve the first component to describe the write usage 
and the second for the read usage. Thus a region with usage [1, cx)] should be 
written at most once while it can be read arbitrarily many times. 
The addition Ui 1+1 U2 is defined provided that: 

(a) Ui and U2 are in the same set of usages 

(b) the component-wise addition is defined 

Example 3. 

If Ui = [00, 00] and U2 = [0, 00] then the sum is undefined because Ui and U2 
are not in the same set while if Ui = [l,oo] and U2 = [l,c»] then the sum is 
undefined because 1 W 1 is undefined. 

Note that in each set of usages there is a neutral usage Uq such that Uq^U ~ U 
for all U in the same set. 

A region context R has the shape: 

ri : ([/i,Ai),...,r„ : (t/„,A„) 

where r^ are distinct regions, Ui are usages in the sense just defined, and Ai 
are value-types. The typing system will additionally guarantee that whenever 
we use a type Reg^^ the region context contains an hypothesis r : {U,A) for 
some U. Intuitively, writing r : {U, A) means that addresses related to region r 
contain values of type A and that they can be used according to the usage U . 
We write dom{R) for the set {ri, . . . , r„} of the regions where the region context 
is defined. As for contexts, the sum on usages is extended to region contexts 
component-wise. In particular, if r : (Ui,A) £ Ri and r : {112, A) e R2 then 
r : ([/i ttl U2, A) £ (i?i ttl R2) only if Ui W U2 is defined. Moreover, for (i?i W R2) 
to be defined we require that dom(Ri) ~ dom{R2). There is no loss of generality 
in this hypothesis because if, say, r : ([/, A) 6 _Ri and r ^ dom{R2) then we can 
always add r : {Uo,A) to R2 where t/o is the neutral usage of the set to which 
U belongs (this is left implicit in the typing rules). 



Example 4. 

One may check that the sum: 

(ri:([l,oo],A),r2:([0,l],B)) 

W(ri:([0,H,A),r2:([l,0],i?)) 

is equal to 

ri:([l,oo],A),r2:([l,l],B) 

whereas these two are not defined: 

(i?,r:([l,cx)],i3))W{i?,r:([l,oo],S)) 
(i?,r:([0,cx)],B))W(i?,r:([l,0],i?)) 



2.4 Affine-Intuitionistic Type System with Regions 

Because types depend on regions, we have to be careful in stating in Table 21 
when a region-context and a type are compatible {R ]. a), when a region context 
is well- formed (R h), when a type is well- formed in a region context (R h a) 
and when a context is well- formed in a region context (i? h F). 

A more informal way to express the condition is to say that a judgement 
ri : (L'^i, Ai), . . . ,rn '■ (Un-, An) h a is well formed provided that: 

(a) all the region names occurring in the types Ai, . . . , A„ , a belong to the set 
{ri,...,rn} 

(b) all types of the shape Reg^ B with i £ {1, . . . , n} and occurring in the types 
Ai, . . . , An , a are such that B — Ai. 

Example 5. 

One may verify that 

r:([/,l^l)hReg,(l^l) 
can be derived while these judgements cannot: 



r : ([/, 1) h Reg,,(l -o 1) 
r:([/,Reg,,l)hl 



Next, Table [5] introduces an affine-intuitionistic type system with regions 
whose basic judgement 

i?;rhP:a 

attributes a type a to the program P in the region context R and the context 
r. Here and in the following we omit the rule for typing a program (S \ P) 
which is symmetric to the one for the program (P \ S). 

The formulation of the so called promotion rule, i.e., the rule that introduces 
the '!' operator, requires some care. In particular, we notice that its formulation 



Ril RiB 

RiA Rla r:{U,A)eR 



Ri{A^a) Ri Reg^A 

'^r:{U,A)eR RiA i? h i? ; a 



R\- Rh a 

\fx:{u,A)eT RhA 

rFt 

Table 4: Type and context formation rules (unstratified) 

relies on the predicates ajf (affinc) and saff (strongly affinc) on contexts and 
region contexts which we define below. The intuition is that terms whose typing 
depends on afhne (region) contexts should not be duplicated, i.e., should not 
be 'marked' with a !. Formally, we write ajf{x : {u,A)) if u = 1. We also write 
aff{r : {[v,v'],A)) if either 1 S {v,v'} or (V(r) and v' ^ 0). Moreover, we write 
aff{R;r) (respectively saff{R;r)) if the predicate aff holds for at least one of 
(respectively for all) the hypotheses in R; T. 

Remark 2. Notice that we regard the hypothesis r : ([w, w'], A) as afRne if either 
it contains the information that we can read or write in r at most once or if r is 
a volatile region from which we can read. The reason for the second condition 
is that a volatile region may contain data that should be used at most once. 
For instance, assuming V(r), R = r : ([oo, oo], A), and T = x : (oo, Reg^^), we 
can derive i?; F h get(a;) : A. However, we should not derive R;T V- !get(a;) : \A 
for otherwise the crucial subject reduction property (Theorem [ij may be com- 
promised. 

Finally, we remark that in the conclusion of the promotion rule we may 
weaken the (region) context with a strongly affinc (region) context. This is 
essential to obtain the following weakening property. 

Lemma 1 (weakening). //i?;FhP: a andRMiR' h Fl+IF' t/ien i? W i?' ; F W F' h 
P : a. 

Then we see how our type system applies to some program examples. 

Example 6. 

Let i?=:r : ([1,1], 1) and 

M ~ Ax. let \x = X in get(.T) | set(.T, *) 

We check that: 

R;_^ M : !Reg^l ^B 

By the rule for affinc implication, this reduces to: 

R; X : (1, !Reg^l) h let Is = a; in get(a;) | set(a;, *) : B 



i?hr x:iu,A)eT R^r 



R;r\- x:A i?;rh*:l 

i?i;ri ^ M -.{A^a) 
R;r,x:{l,A)hM:a R2;T2hN:A 



i?; r h Xx.M -.(A^a) i?i tt) R2; Ti W Ta h MN : a 

i? W i?' h (r tt) r') saff{R';T') Ri;Ti\-M:lA 

R;rhM:A -^aff{R;r) i?2; Ts, x : (00, A) h TV : a 



i?l±)i?';rwr' h \M : \A Ri^R2;Ti W Ts h let \x ^ M \n N : a 

i? h r a; : (w, Reg^^) G T 
i?;r,x: (w, Reg^4) hP : a r : ([1;, v'], A) 6 i? v' ^ 



R\T^vxP:a R-TV- get(x) : A 

r = a; : (w, Reg^^) W r V(r) T = x : (m, Reg^!^) W T' T^W 

R = r:{[v,v'],A)\iiR' v^Q R = r ■.{[v,v']M)^ R' v^Q 

RhV R';V'^V:A R^T R';T'^V:\A 



R-TV- set(x, V):l R-TV- pset(a;, V) : 1 

T = x :{u,Reg^A)\iiT' V{r) T = x : {u,Reg^\A) \±iT' V{r) 

R = r-.{[v,v'],A)\iiR' v^Q R = r ■.{[v,v'],\A)\ii R' w^O 

i?hr R'-,T'^V-.A R^T R';T'^V:\A 



i?; r h (a; ^ F) : B i?; T h (x 4= F) : B 

Ri;Ti^P-.a i?2;r2l-S':B i?j ; T^ h f; : a^ P^ not a store i == 1 , 2 



i?iWi?2;riwr2h(p|S') :a i?iwi?2;ritt)r2 h (Pi | P2) :B 

Tabic 5: An affinc-intuitionistic type system with regions 
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If we define Rq ~ r : ([0, 0], 1), then by the rule for the let we reduce to: 
Ro;x : (l,!Reg^l) ha; : IReg^l 

and 

R; X : (oo, Reg^l) h get(a:) | set(a;, *) : B 

The former is an axiom while the latter is derived from: 

r:([0,l],l);x:(oo,Reg,,l)hget(a;):l 

and 

r : ([l,0],l);a; : (oo, Reg^l) h set(a;, *) : 1 

Note that we can actually apply the function AI to a value !y which is typed 
using the promotion rule as follows: 

Rq; y : (cx), Reg^l) h y : Reg^l 
Ro;y : (cx), Reg^l) h \y : !Reg,,l 

We remark that the region context and the context play two different roles: the 
context counts the number of occurrences of a variable while the region context 
counts the number of read-write effects. In our example, the variable x occurs 
several times but we can be sure that there will be at most one read and at 
most one write in the related region. 

Example 7. 

Wc consider a functional 

M = Xf.Xf.vy ify \ fy) 
which can be given the type 

(Reg^ ^ 1) ^ (Reg^l ^ 1) -o B 
in a region context R = r : ([0, 0], 1). We can apply M to the functions 

Vi ~ Aa;.get(a;) and V2 = A2-.set(x, *) 

which have the appropriate types in the compatible region contexts R' ~ r : 
([0, 1], 1) and R" = r : ([1, 0], 1), respectively. Such affine usages would not be 
compatible with an intuitionistic implication as in this case one has to promote 
(put a ! in front of) Vi and V2 before passing them as arguments. 

As in Barber-Plotkin system [2], the substitution lemma comes in two flavours: 

Lemma 2 (substitution). Affine substitution fa]) and intuitionistic substitu- 
tion 0) preserve typing: 

(a) If R]T,x : (1,A) Y- M : a, R';T' h V : A, and R iS R' h T \S T' then 
i?Wi?';rwr' h [V/x]M : a. 
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(b) If R;r,x : {oo,A) h M : a, R';T' h IV : \A, and R m R' ^ T \±) T' then 
i?Wi?';rwr' h [V/x]M -.a. 

We rely on Lemma [5] to show that the basic reduction rules in Table [5] pre- 
serve typing. Then, observing that typing is invariant under structural equiva- 
lence, we can lift the property to the reduction relation which is generated by 
the basic reduction rules. 

Theorem 1 (subject reduction). IfR; T ^ P : a and P -^ P' then R;T ^ P' : a. 

In our formalism, a closed program is a program whose only free variables 
have region types (as in, say, the 7r-calculus). For closed programs one can state a 
progress property saying that if a program cannot progress then, up to structural 
equivalence, every thread is either a value or a term of the shape i?[get(a;)] and 
there is no store in parallel of the shape (a; <— V) or {x 4= V). In particular, 
we notice that a closed value of type lA must have the shape W so that in 
well-typed closed programs such as let \x = V \r\ M or E[get{x)] \ {x <^ V), V is 
guaranteed to have the shape W required by the operational semantics in Table 

m 

Proposition 1 (progress). Suppose P is a closed typable program which cannot 
reduce. Then P is structurally equivalent to a program 

vxi ,...,Xm {Ml I •■• I Af„ I 5*1 I ••• I S'p) m,n,p>0 

where Mi is either a value or can be uniquely decomposed as a term _E[get(?;)] 
such that no value is associated with the address y in the stores Si, . . . , Sp. 

3 Confluence 

In our language, each thread evaluates dcterministically according to a call- 
by-valuc evaluation strategy. The only source of non-dctcrminism comes from 
a concurrent access to the memory. More specifically, we may have a non- 
deterministic program if several values are stored at the same address as in the 
following examples (note that we cannot type a program where values are stored 
at an address both in a persistent and a volatile way): 

get(a;) \ {x ^ Vi) \ {x ^¥2) (5) 

get(a;) \{x^Vi)\{x^V2) (6) 

or if there is a race condition on a volatile address as in the following example: 
Ei[get{x)] \ E2[get{x)] \ {x ^ V) (7) 

On the other hand, a race condition on a persistent address such as: 

Ei[get{x)]\E2[get{x)]\{x<=V) (8) 

does not compromise determinism because the two possible reductions commute. 
We can rule out the problematic situations ([Sj, ^ and (O, if: 
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(a) we remove from our system the region usage [oo, oo] 

(b) we restrict the usages of volatile stores to those in which there is at most 
one read effect (hence the set {[1, 1], [1,0], [0, 1], [0,0]}) 

To this end, we add a condition w' 7^ oo to the typing rules for volatile stores 
set(a;, V) and {x <— V) as specified in Table[Sl We denote with he provability in 

U e {[l,c»], [0, 00]} U {[1, 1], [1,0], [0, 1], [0,0]} 

r = .T : (u, Reg^A) W T' V(r) 

R = r ■.{[v,v'],A)liiR' W7^0,wVoo 

RhT R':r'hV:A 



R;T h set{x,V) : 1 

T = x:{u, Reg^A) W F V(r) 

R = r ■.{[v,v'],A)'SR' w 7^ 0, i>' ^ 00 

R'rT R';T'^V:A 

R;T ^ {x ^ V) : B 

Table 6: Restricted usages and rules for confluence 

this restricted system. This system still enjoys the subject reduction property 
and moreover its typable programs are strongly confluent. 

Proposition 2 (subj. red. and confluence). Suppose R;T he P ■ a. Then: 

(a) IfP^P' then R-Vhc P' -a 

(b) If P ^ P' and P -^ P" then either P' = P" or there is a Q such that 
P' -^ Q' and P" -)■ Q 

Proof. 

(a) We just have to reconsider the case where E[set{x, V)] — > E[*] \ {x <— V) 
and verify that if i?; F h set(a;, V) : 1 then i?; F h (a; <— 1/) : B which entails 
that E[*] \ {x -^ V) is typable in the same context as E[set{x, V)]. 

(b) The restrictions on the usages forbid the typing of a store such as the one 
in ([5|) and ([6]) where two values are stored in the same region. Moreover, it 
also forbids the typing of two parallel reads on a volatile store ([7]). 

□ 

Remark 3. We note that the rules for ensuring confluence require that at most 
one value is associated with a region (single-assignment). This is quite a re- 
strictive discipline (comparable to the one in [14]) but one has to keep in mind 
that it targets regions that can be accessed concurrently by several threads. 
Of course, the discipline could be relaxed for the regions that are accessed by 



13 



one single sequential thread. Also, e.g., for optimisation purposes, one may be 
interested in the confluence/determinism of certain reductions even when the 
overall program is non-deterministic. 

4 An AfRne-Intuitionistic Type and Effect Sys- 
tem 

We refine the type system to include effects which are denoted with e, e', . • ■ and 
are finite sets of regions. The syntax of programs (Table[T]) and their operational 
semantics (Tabled are unchanged. The only modification to the syntax of types 
(Table [3]) is that the affinc implication is now annotated with an effect so that 
we write: 

e 

which is the type of a function that when given a value of type A may produce 
something of type a and an effect on the regions in e. This introduces a new 
dependency of types on regions and consequently the compatibility condition 
between region contexts and functional types in Table |4] becomes: 

RiA R^a eC dom{R) 



Ri{A^a) 



Example 8. 

One may verify that the judgement 






is derivable. 



The typing judgements now take the shape 

R-Th P: (a,e) 

where the effect e provides an upper bound on the set of regions on which the 
program P may read or write when it is evaluated. In particular, we can be sure 
that values and stores produce an empty effect. As for the operations to read 
and write the store, one exploits the dependency of address types on regions to 
determine the region where the effect occurs (cf. |15j). 

The afRne-intuitionistic type and effect system is spelled out in Table [T] We 
stress that these rules are the same as the ones in Table [5] modulo the enriched 
syntax of the functional types and the management of the effect e on the right 
hand side of the sequents. The management of the effects is additive as in [15], 
indeed effects are just sets of regions. 

Also to allow for some flexibility, it is convenient to introduce a subtyping 
relation on types and effects, that is to say on pairs (a, e), as specified in Table 
[SI We notice that the transitivity rule for subtyping 
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R\-a<a' Rha' <a" 
Rh a<a" 

can be derived via a simple induction on the height of the proofs. 

Remark 4. The introduction of the subtyping rules has a limited impact on 
the structure of the typing proofs. Indeed, li R \- A < B then we know that 
A and B may just differ in the effects annotating the functional types. In 
particular, when looking at the proof of the typing judgement of a value such as 
i?; r h Xx.M : {A, e), we can always argue that A has the shape Ai — o A2 and, 
in case the effect e is not empty, that there is a shorter proof of the judgement 

i?; r h Xx.M : {Bi 3, ^2, 0) where R\- Ai < Bi, R\- B2 < A2, and 62 C ei. 

Then to prove subject reduction, we just repeat the proof of Theorem [1] 
while using standard arguments to keep track of the effects. 

Proposition 3 (subject reduction with effects). Types and effects are preserved 
by reduction. 

Remark 5. It is easy to check that a typable program such as E[set{x, V)] which 
is ready to produce an effect on the region r associated with x will indeed contain 
r in its effect. Thus the subject reduction property stated above as Proposition 
[3] entails that the type and effect system does provide an upper bound on the 
effects a program may produce during its evaluation. 

5 Termination 

Terms typable in the unstratified type and effect system (cf. Table [7]) may 
diverge, as exemplified here: 

Example 9. 

The following term stores at the address x a function that, given an argument, 
keeps fetching itself from the store forever: 

vx pset(a;, l{Xy.\et Ix ~ get(a:;) in xy)) ; let \x = get(a;) in x* 

One may verify that it is typable in a region context 

R^r:{[l,^],\{l^^l)) 

This example suggests that in order to recover termination, we may order 
regions and make sure that a value stored in a certain region when put in an 
evaluation context can only produce effects on smaller regions. This is where our 
type and effect system comes into play, and to formalise this idea, we introduce 
in Table |9] rules for the formation of types and contexts which are alternative 
to those in Table IH 
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Example 10. 

Assuming Table[9]and taking R = r : (U, 1), one may check that the judgement 

r:(C/,l),r':([/',l"l)h 
is derivable while 

{r'} 

r' : {W, 1 -^ 1) h 
is not. In particular, the region context of Example IHl is neither derivable. 

It is easy to verify that the stratified system is a restriction of the unstratified 
one and that the subject reduction (Proposition [3]) still holds in the restricted 
stratified system. If confluence is required, then one may add the restrictions 
spelled out in Table |6l 

Concerning terinination, we recall that there is a standard forgetful transla- 
tion (_) from affine-intuitionistic logic to intuitionistic logic which amounts to 
forget about the modality ! and the usages and to regard the affine implication 
as an ordinary intuitionistic implication. Thus, for instance, the translation of 
types goes as follows: IA = A and A ^ B = A ^)- B_; while the translation of 
terms is: IM^M. and let Ix = M \n N = (Aa;.7V)M. In Table [lOl we lift this 
translation from the stratified affine-intuitionistic type and effect system into a 
stratified intuitionistic type and effect system defined in [T]. 

The translation assumes a decoration phase where the (free or bound) vari- 
ables with a region type of the shape Reg^^ are labelled with the region r. 
Intuitively, the intuitionistic system abstracts an address x related to the region 
r to the region r itself so that a decorated variable x^ translates into a constant 
r. In the intuitionistic language, a region r is a term of region type Reg^^, 
for some A and all stores are persistent. The full definition of the language is 
recalled in Appendix lA. 21 

It turns out that a reduction in the affine-intuitionistic system is mapped to 
exactly a reduction in the intuitionistic system. Then the termination of the in- 
tuitionistic system proved in [I] entails the termination of the affine-intuitionistic 
one. 

Theorem 2 (termination). Programs typable in the stratified affine-intuitionistic 
type and effect system terminate. 



6 Conclusion 

We have presented an affine-intuitionistic system of types and effects for a 
functional-concurrent programming language. The main contribution over [1] 
is that the functional core of the system is based on Barber-Plotkin affine- 
intuitionistic logic which distinguishes between affine and intuitionistic hypothe- 
ses. The 'non-logical' part of the language, with operators to read and write dy- 
namically generated addresses of a 'store', has been refined to take into account 
the process of data duplication. In the type system, addresses are abstracted 
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into a finite number of regions. We have introduced a suitable discipline of 
region usage and shown that it combines with region stratification in the affine- 
intuitionistic setting to regain confluence and termination, respectively. 

Future Work Beyond these crucial properties, we hope to show that other 
interesting properties of the functional core can be extended to the considered 
framework. We think in particular of the construction of dcnotational mod- 
els (sec, e.g, [5]) and of bounds on the computational complexity of typable 
programs (see, e.g., [TTj). 

We also recall that more work would be required to get an operational pro- 
gramming language, as with the introduction of inductive types and the ex- 
tension to a synchronous/timed framework (cf. [HISI) where determinism and 
termination are useful properties. 
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A Proofs 

A.l Proof of Theorem [1] 

Lemma 3 (weakening). If R;r h P : a andR^R' h Tl+ir' then R^R']T^V' h 
P: a. 

Proof. By induction on the typing of P. Following Tabic [SI there are 14 rules 
to be considered of which we highlight 3. 

P = MN Wc have: 

Ri]Vi^ M : A^a R2\T2i' N : A 



i?ii±)i?2;rittir2 hMiv : a 

We notice that the composition operation l+) on contexts is associative and 
commutative (when it is defined) and that {Ri l+) i?2 W R') h (Fi l+) r2 W V) 
entails that [Ri l+) R') h (Fi tbi F'). Hence, by induction hypothesis, we get 
i?i 1+) i?'; Fi y F' h 7\/ : A ^5 a, from which wc derive: 

i?il±)i?';Fi WF' hM : A^a i?2;F2hiV:yl 

i?i l±) i?2 W i?'; Fi W F2 1+) F' h MN : a ' 

P = \M We have: 

i? l±) i?" h F W F" 

saff{R"-T") 
^aff{R;T) R;T ^ M : A 



i?Wi?";FWF"h !M : !A 

We can always decompose R' as R'l ttJ R'^ and F' as V'l l±) F^ so that 
-lo/f (i?J^;F'^) and saff{R[;r[). By induction hypothesis, we have i? ttl 
i?'^ ; F a F'^ h M : A. Wc notice that ^aff{R[ilR'^;r^T'^,) and sa^f (i?; l±) 
R";T[ ttJ F") (remember that 1 W 00 is undefined). Hence wc derive: 

(RiSR^^iS R[ W R") h (F a F'^ W F^ W F") 

saff{R[ii) R";T[ ii)r") 

^aff{R\iiR'^;r\i)r^) RHi R'^-T ii)T'^ h M : A 

i? 1+) i?' W i?"; F W F' l±) F" h !A/ : !A 

P = set(x, V) We have: 

F = .T : (u, Reg,,A) W F" 

R = r:{[v,v'],A)iilR" v^O 

RhT R";T"hV:A 



R;r\-set{x,V) : 1 

By induction hypothesis, we have R" W i?'; F" l+) F' h V : A, from which we 

derive: 

F W F' = X : (u, Reg,,^) W (F" W F') 

i?WP' = r: ([i;,f;'],A)W(P"WP') v^O 

i? W P' h F W F' P" W P'; F" W F' h 1/ : A 

P W P'; F W F' h set(x, V) : 1 ' 
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We notice that this argument still holds when introducing the restriction 
v' ^ oo in order to guarantee confluence (cf. Table [6]). Indeed, the restric- 
tion w' 7^ cxD is equivalent to require that the usage of the region r ranges 
in the family of usages {[1, 1], [1,0], [0, 1], [0,0]}. 

D 

Lemma 4 (afHne substitution lemma). If Ri]Ti,x : (1,A) h P : a, R2\T2 l~ 

V : A, and i?i l±) i?2 h Ti l±) Ta then i?i l±) i?2; Ti l±) Ta h [V/x\P : a. 

Proof. By induction on the typing of P. We highlight 4 cases out of 14. 
P = MN We have: 

i?3; rj, h A/ : c ^ a i?4; r; h TV : c 

i?3tt)i?4;r^ wr^ h A-fiv : a ' 

Because x : (1, A) is an affine hypothesis, it can occur exclusively either 
in r3 or in r4. We consider both cases. 

1. Fg = Fa, a; : (1,^) and F^ = F4 with x ^ domiV^). By induction 
hypothesis we have R2 W i?3;F2 W F3 h [V/x\M : C -o a. Plus 
X i FV{N) so [V/x]N = iV, hence i?4;r4 h [V/x]N : C. Then we 
derive: 

i?2 W i?3; r2 W F3 h [Vlx]M -.C^a 
Rr,Tih [V/x]N -.C 



i?2 tt) i?3 W ^4; F2 W r3 W F4 h [V/x]{MN) : a 

2. F^ = F3 with x i dom(F3) and F^ = F4, a; : (1, A). 

By induction hypothesis we have i?2 W -R4; r2 W F4 h [V/x]N : C. 
Plus X i FV{M) so [V/x\M = M, hence EaiTa h [V/x\M : C ~-o a. 
Then we derive: 



i?3;r3h [V/x\M:C -oa 

i?2 tt) i?4; F2 a r4 h [v/x\n -. c 



i?2 tt) i?3 W i?4; F2 W r3 W F4 h [V/x]{MN) : a 



P = !M We have: 

Ri^R'h (Fi W(F',2;: {I, A))) 

saff{R';r',x:{l,A)) 

fli;FihM:A ^aff(Pi;Fi) 

Ri W R'; Fi W (F', a; : (1, A)) h !M : \A 

We deduce that x ^ f 1^(!M), hence [y/a;](!A/) = !M and i?iWi?'; FiWF' h 
[V/x]{\M) : \A. Bylemma[3wegeti?iyi?'Wi?2;riWF'WF2 h [V/x]{\M) : 
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P = let !y = M in N Renaming y so that y ^ x, we have: 

i?3;rj5hM:!C Ri;r'^,y : {oo,C) ^ N : a 
i?3 W i?4; r(j W r^ h let ly = M in TV : a 

As in the case of apphcation, we distinguish two cases. 

1. rjj = r3,a- : (1, A) and T^ = r4 with a; ^ dom(r4). 

By induction hypothesis, we have R2 W i?3;r2 W r3 h [y/xjM : !C. 
Plus X ^ FF(iV) so [l//a;]7V = N, hence i?4; r4, y : (00, C) h [V/x]N : 
a. Then wc derive: 

R2 W i?3; Ta ttJ r3 h [V/x]M : IC 
R4;Ti,y: (00, C) h [y/a;]7V : a 



i?; Tz W r3 W r4 h [V"/a;](let \y = M \n N) : a 

where i? = i?2 W i?3 l±) i?4 • 
2. r(j = r3 with X i domi^'i) and Y\ ^Y^,x: (1,A). 

By induction hypothesis we have Ri W Ri^^Vi.y : (00, C) l±) r4 h 
[V/x]N : a. Plus x ^ FV{M) so [l//a;]M = M, hence i?3;r3 h 
[V/x]M : !C. Then we derive: 

i?3;r3h[T//x]M:!C 
i?2 tt) i?4; Ta, y : (cx), C) W r4 h [V/x]N : a 



R; Pa W r3 W r4 h [y/2;](let ly = M \n N) : a 
where R ^ R2 Wi?3l+)i?4- 
set(y, X^') We distinguish two cases. 



1. If y ^ x we have: 

Pi,.T:(l,A) = y:(w,Reg,C)WP'i 

i?i =r : ([w,w'],C)tt)i?'i WT^O 

i?i hPi,x: (1,A) i?i;P'ihF':C 

i?i;Pi,a;:(l,A)hset(j/,-l/'):l 

We deduce that T[ =T'(\±)x:{l,A), and by induction hypothesis we 
get R[ W i?2; P" W Pa ^ [y/x]^' : C, from which we derive: 

Pi = y : (7/, Reg,C) W P'/ 

Ri^r:{[v,v'],C)iiiR[ v^O 

Rx h Pi R[ l±) i?2; r'/ tt) P2 h [Vlx\V' : C 

Ri;ri^[V/x]set{y,V'):l ' 

By lemma m we obtain 

Ri W R2; Pi l±) P2 K [V/x]set{y, V) : 1 



22 



2. liy = X then [V/x]set{y,V') = set{V,V'), A = Reg^C, and u = 1. 
Moreover V must be a variable, thus we can derive: 

ri = F:(i,Reg,c)wr; 

Ri^r:{[v,v'],C)\iiR[ v^O 



R,;r,^[V/x]setiy,V'):l 
and by lemma [3] we get 

Ri W i?2; Ti W Ta h [V/x]set{y, V) : 1 



D 

Lemma 5 (intuitionistic substitution lemma). // 

i?i;ri,a; : (oo, A) h P : a, R2;T2 h \V : !^ and i?i W i?2 ^ Ti ttl Tz i/ien 

i?i wi?2;ri wr2 h [y/a;]P : a. 

Proof. By induction on the typing of P. We highlight 4 cases out of 14. 

P = A/TV We have: 

P3;r(jh A/: C^a P4;^^^-^^:C 

P3W-R4;r^ wr^i h mn -. a ' 

We distinguish 3 cases. 

1. Fg = FsjX : (oo, A) and r4 = r4 with x ^ domlT^). 

By induction hypothesis we have P2 WP3; r2 WFs h [V^/xjAf : C —<> a. 
Plus a; ^ PF(iV) so [V/x]N = N, hence P4;r4 h [F/a;]TV : C. Then 
we derive: 

P2 W P3; r2 tt) F3 h [y/x]A/ : C -^ a 
P4;F4h[l^/a;]7V:C 



P2 W P3 W ^4; F2 W Fg W F4 h [y/a;](A/A^) : a 

2. F^ = F3 with 2: ^ dom(F3) and F^ = F4, a; : (00, A). 

By induction hypothesis we have P2 W P4;r2 W F4 h [V/x]N : C. 
Plus X ^ FV{M) so [TZ/x] Af = A/, hence P3; r3 h [F/x]Af : C -o a. 
Then we derive: 

P3;F3h [V/x\M : C ~o a 
P2tt)P4;r2WF4h [V/x\N : C 

Ri'SRs^S P4; F2 W F3 W F4 h [V/x]{MN) : a ' 



23 



3. r;, = Tg, a; : (oo, A) and T^ = r4, 2; : (00, A). 

By induction hypothesis we have i?2 W -R3 ; r2 W Fg h [V/x]M : C ^> a 
and i?2 W i?4; r2 W r4 h [l//a;]7V : C. Moreover we have: 

i?5 W i?' K Ts W r' saff{R'-T') 



R2]T2'r\V:\A 

where i?2 = -R5 W R' and r2 = Ts W F'. Hence we know that all the 
hypotheses of R' and F' are of weakened regions and variables. Thus 
we also have i?3ttli?5; Fgl+lFg h [V/x\M : C -o « and i?4l+li?5; F4tt)F5 h 
[V/x]N : C. Plus from -^affiR^iT^) we get R5 ^ R5 = R5 and 
F5 W F5 = F5, and we can derive: 

i?3 W i?5; F3 W F5 h [y/a;]A/ : C ^ a 
i?4 W i?5; F4 W F5 h [y/x]Ar : C 
i?3 W i?4 W -R5; F3 W F4 W F5 h [V/x]{MN) : a ' 

By lemnia|3]we obtain i?2 W i?3 W i?4; F2 ttJ F3 ttl F4 h [V/x]{MN) : a. 

P = IM Suppose: 

i?5ai?'h (F5,a;: (oo,A)) WF' saff{R';T') 

i?5;F5,x: {oo,A)h M : B 

-^aff{R5;^5,x : {00, A)) 



And also: 



i?5 Wi?';(F5,x: (cx),A))WF'h!M: !S 

i?6 W i?7 ^ Tg W F7 saff{Rr;rr) 
aff{Re;re) Re^TehV-.A 



R2;T2^1V:IA 

with i?2 = i?6 W -R7 and F2 = Fg W F7. Hence we know that all the 
hypotheses of Rj and F7 are of weakened regions and variables, such that 
ii'6;F6 h IV : \A. By induction hypothesis we get i?5 l+l flg ; F5 l±) Fe h 
[y/a;]Af : B and we can derive: 

(i?5 W Re) W (i?7 W i?') h (F5 W Fg) W (F7 W F') 

sai7(i?7 Wi?';F7WF') 

-a#(i?5Wi?6;F5WF6) 

i?5Wi?6;F5WF6h[l//x]Af :S 



i?5 W i?2 W i?'; F5 W F2 W F' h [V/x]\M : IB 

P = let \y = A/ in N We have: 

i?3;F(,h Af : !C i?4;F^, j/ : (00, C) h TV : a 
i?3 W^4;F^ WF^h let !y = Afin Af : a ' 

with y ^ X. We just spell out the case where F3 = F3,a; : (00, A) and 
F4 = F4, X : (cx), A). By induction hypothesis, we have R2 W Rz\ F2 W F3 h 
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[V/x\M : \C and R2 W Ri, {T2,y : (cx),C)) W r4 h [Vlx\N : a. Moreover 

we have: 

i?5 W i?' h Tg tt) r saff{R'-T') 

R^;T^^V:A ^aff{R5;T5) 
R2;r2h\V:lA 

where T2 — T^ \i) T' and R2 — i?5 W i?'. Hence we know that all the 
hypotheses of R' and F' are of weakened regions and variables. Thus we 
also have i?3l±)i?5;r3Wr5 h [V/x]M : !C and i?4Wi?5; (r4,2/ : (oo,C))wr5 h 
[V/x]N : a. Plus from -aif (i?5; Tg) we get Tg WPg = Tg and i?5 Wi?5 = R5, 
and wc can derive: 

i?3Wi?5;r3wr5h[y/x]A'/:!C 

i;4afl5;(r4,j/: (oo,C))fe)r5 h [y/x]JV:a 
i?3 W i?4 W i?5;r3 W r4 W Ts h [y/a;](let ly ^ M\n N) :a 

By lemma[3l we obtain i?2 W-R3Wi?4; r2l±ir3l±)r4 h [y/x](let \y = i\/ in N) : 



P = set{y, V) We just look at the case y ^ x. We have: 

Ti, X : (00, A) == 2/ : (li, Reg^C) W T'l 

i?i hri,x: (cx),A) i?i;r'ihy':C 



i?i; Ti, a; : (00, A) h set(y, V^') : 1 

We deduce that V\ = F" W a; : (00, A), and by induction hypothesis we get 
R[ W i?2; r'/ W Fa h [F/a;]T^' : C, from which we derive: 

Fi = y : {u, Reg^C) W T'( 

Ri=r:{[v,v'],C)\±}R[ v' j^ 

RihTi R[\±SR2;r'{\±ir2^[V/x]V' -.C 



i?i W i?2; Fi W F2 h [V/x]set{y, V) : 1 

D 

Lemma 6 (structural equivalence preserves typing). If R-.T \- P : a and P = P' 
thenR;T^ P' -.a. 

Proof. Recall that structural equivalence is the least equivalence relation in- 
duced by the equations stated in Table [2] and closed under static contexts. 
Then we proceed by induction on the proof of structural equivalence. This is is 
mainly a matter of reordering the pieces of the typing proof of P so as to obtain 
a typing proof of P'. D 

Lemma 7 (evaluation contexts and typing). Suppose that in the proof of R;T h 
i?[A/] : a we prove R';T' h M : A. Then replacing M with a M' such that 
R'; F' h M' : A, we can still derive R;T \- E[M'] : a. 

Proof. By induction on the structure of E. □ 
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(1) 


E[set{x, V)] 


£;[*] 1 (x ^ V) 


(2) 


E[psetix,V)] 


E[4 1 {x <= V) 


(3) 


E[get{x)] \{x^V) 


E[V] 


(4) 


E[getix)] 1 (x ^ IV) 


E[IV] \{x^l] 



Lemma 8 (functional redexes). If R;T h E[A] : a where A has the shape 
{Xx.M)V or let !a; = y in M then R;T h E[[V/x]M] : a. 

Proof. If A = {Xx.AI)V we appeal to the affinc substitution lemma |4] and if 
A = let !a; = y in M we rely on the intuitionistic lemma [S] This settles the 
case where the evaluation context E is trivial. If it is complex then we also need 
lemma [71 D 

Lemma 9 (side-effects redexes) . If R;T \- A : a where A is one of the programs 
on the left-hand side then i?; F h A' : a where A' is the corresponding program 
on the right-hand side: 



IV) 
Proof. We proceed by case analysis. 

1. Suppose we derive i?; F h i?[set(a;, y)] : a from i?2;r2 1^ set(a;, V) : 1. 
By the typing rule for set(a;, F) we know that R2 = r : ([v,v'],A) W R3, 
V(r), F2 = X : (m, Reg^^) l+l F3, and i?3;r3 \- V : A. It follows that 
i?2;r2 h (a; ■(— 1^) : B. We can decompose i?2;r2 into an additive part 
(^2;r2)° and a multiplicative one (i?2;r2)^ Then from (i?2;r2)° h * : 1, 
we can derive Ri'Ti h E[*] : a, where (i?i;Fi) l±) (i?2;r2)^ = R;T. 

2. Suppose we derive i?; F h E[pset{x,V)] : a from i?2;r2 h pset(a::, F) : 1. 
By the typing rule for pset(a::, V) we know that R2 ~ r : {[v,v'], lA) ttJ R3, 
V{r), T2 = X : [u,Reg^\A) l±) F3, and i?3;r3 ^ V : \A. It follows that 
i?2;r2 h (x 4= V^) : B. Then we reason as in the previous case. 

3. Suppose i?i;Fi h i?[get(x)] : a is derived from i?2;r2 h get(a;) : A, that 
i?3;r3 ^ {x^V) :B, and that i?;F= (i?i; Fi)W(i?3; r3). Then (i?2;r2)W 
(i?3;r3) h y : ^, by weakening. Also, let r be the region associated with 
the address x. We know that V(r) and that R2 must have a reading 
usage on r. It follows that aff{R2] F2) and therefore the context E cannot 
contain a !. Thus from (i?2;r2) W (i?3;r3) \- V : A we can derive i?; F h 
E[V] : a. 

4. Suppose i?i;ri h i?[get(x)] : a is derived from i?2;r2 1^ get(a;) : !A, that 
i?3;r3 V- [x <^ \V) : B, and that R;T ^ [Ru^i) W {Rs.-.'^z)- By the 
promotion rule, i?3;r3 is a weakening of i?4;r4 such that -^aff{Ri]Ti^) 
and i?4;r4 \~ V : A. Then from i?4;F4 h IV : !A we can derive i?';F' h 
E\^.V] : a where i?; F is a weakening of (i?'; F') l±) (i?3; F3). 

D 
Theorem 3 (subject reduction). If R; T V- P : a and P ^ P' then R;T h P' : a. 
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Proof. We recall that P ^ P' means that P is structurally equivalent to a 
program C[A] where C is a static context, A is one of the programs on the 
left-hand side of the rewriting rules specified in Table [51 A' is the respective 
program on the right-hand side, and P' is syntactically equal to C[A']. 

By lemma H wc know that R;T \- C[A] : a. This entails that i?'; T' h A : a' 
for suitable R',T',a'. By lemmas [5] and H we derive that R';T' \- A' : a' . Then 
by induction on the structure of C we argue that R;T h- C[A'] : a. D 

A.2 Proof of Theorem [2] 

Table fTTJ summarizes the main syntactic categories and the reduction rules of the 
intuitionistic system. It is important to notice that in the intuitionistic system 
regions are terms and that the operations that manipulate the store operate 
directly on the regions so that we write: get(r), pset(r, V), and (r <^ V) rather 
than get(a;), pset(x, V), and {x <=^V). 

Table [T2l summarizes the typing rules for the stratified type and effect system. 

Proviso To avoid confusion, in the following we write \-ai for provability in 
the affine-intuitionistic system and h/ for provability in the intuitionistic system. 

The translation acts on typable programs. In order to define it, it is useful 
to go through a phase of decoration which amounts to label each occurrence 
(either free or bound) of a variable x of region type Reg^A with the region r. 
For instance, suppose R ~ ri : {Ui,Ai), . . . , r4 : (C/4, A4) and suppose we have 
a provable judgement: 

R]xi : {ui,Reg^^A) ^ai 

x\ I let \x2 ~ ■ . ■ in X2 I AX3.X3 I 1^x4 X4 : (B, 0) 

Further suppose in the proof the variable Xi relates to the region r^ for i = 
1, . . . , 4. Then the decorated term is: 

x]^ I let !a;2 = . . . in X2^ \ Xx^.x^^ \ 1^x4 X4* . 

The idea is that the translation of a decorated variable x^ is simply the region 
r so that in the previous case we obtain the following term of the intuitionistic 
system: 

ri I (Ax2.r2)(...) I Aa;3.r3 | r^ . 

Note that in the translation the i^'s disappear while the A's and let's are simu- 
lated by the intuitionistic A's. 

Assuming the decoration phase, the forgetful translation (_) is defined in 
Table [ini 

Lemma 10. The forgetful translation preserves provability in the following 
sense: 

1. IfR\-Ai then R^ I. 
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2. If R \-Ai OL then R h/ a. 

3. IfR\-Ai (a, e) then R'ri (a, e). 

4-- If R \^ Ai OL < a' then i? h/ a < c/. 

5. IfRhAi (a,e) < (a',e') then Rhj (a, e) < (a^,e'). 

6. If R \-Ai r then R ^ai £. 

7. //i?: r hyi/ P : (a, e) ('and P has been decorated) then R;,T_\^i P_'- {a, e). 

Proof. By induction on the provability relation \^ai- 

Concerning the rules for types and region contexts formation and for sub- 
typing, the forgetful translation provides a one-to-one mapping from the rules 
of the afhne-intuitionistic system to the rules of the intuitionistic one (the only 
exception are the rules for \A which become trivial in the intuitionistic frame- 
work). Also note that dom{R) ~ dom{R). With these remarks in mind, the 
proof of (1-5) is straightforward. 

The proof of (6) follows directly from (2). We just notice that the forgetful 
translation of a context F eliminates all the variable associated with region types. 
The point is that if these variables occur in the program they will decorated 
and therefore in the translation they will be replaced by regions, i.e., constants. 

In the proof of (7), it is useful to make a few preliminary remarks. First, 
weakening is a derived rule for the intuitionistic system, so that if we can prove 
R;Thi P : {a, e) and i?, R' h F, F' then we can prove R, R'; F, F' h/ P : (a, e) 
too. Second, if Pi l±)P2 is defined then Pi = P2 = Pi 1+1 P2 ■ The proof is then a 
rather direct induction on the provability relation h^/. When we discharge an 
assumption and when we introduce a formal parameter with A or with let we 
must distinguish the situation where the variable under consideration has region 
type, say, Reg^A. In this case the variable does not occur in the translation of 
the related context F and it is replaced in the term by the region r. D 

Next we want to relate the reduction of a program and of its translation. As 
already mentioned, in the intuitionistic system all stores are persistent. Conse- 
quently, a reduction such as: 

get(a;'') | (.t'' ^ V) ^ V 

might be simulated by 

get(r) \ir ^V)^V\{r<=V) . 

In other terms, the translated program may contain more values in the store than 
the source program. To account for this, we introduce a 'simulation' relation S 
indexed on a pair P; F such that P h F and F is just composed of variables of 
region type: 

Sbt^ {(P,Q) |P;Fh^/P:(a,e), 

P;.h7Q:(a,e), 
Q ^ (P I S)} 
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Lemma 11 (simulation). // {P,Q) G <S_Rr and P ^ P' then Q ^ Q' and 
{P\Q')eSR.,r. 

Proof. Suppose (P, Q) G SR.r- Then (F,P) e Sn.r- Also ii P ^ P' then 
i?; r h^/ P' by subject reduction of the afSne-intuitionistic system (incidentally, 
subject reduction holds for the intuitionistic system too [T]). 

By definition P —>■ P' means that P is structurally equivalent to a process 
Pi which can be decomposed in a static context C and a redex A of the shape 
described in Table [21 

We notice that the forgetful translation preserves structural equivalence, 
namely if P = Pi then P = Pi. Indeed, the commutativity and associativity 
rules of the affine-intuitionistic system match those of the intuitionistic system 
while the rules for commuting the i^'s are 'absorbed' by the translation. For 
instance, z^a; P | P' = P | P^ = I'x (P | P') with x not free in P'. 

We also remark that the forgetful translation can be extended to static 
and evaluation contexts simply by defining [ ] — []. Then we note that the 
translation of a static (evaluation) context is an intuitionistic static (evaluation) 
context. In particular, this holds because the translation of a value is still a 
value. 

Following these remarks, we can derive that Q = C[A] | S. Thus it is 
enough to focus on the redexes A and show that each reduction in the affine- 
intuitionistic system is mapped to a reduction in the intuitionistic one and that 
the resulting program is still related to the program P' via the relation Sn-r- 

To this end, we notice that the translation commutes with the substitution 
so that [V/x]M = [y_/x]A£. This is a standard argument, modulo the fact that 
the variable of region type have to be given a special treatment. For instance, 
we have: 

Then one proceeds by case analysis on the redex A. Let us look at two cases in 
some detail. If 

A = £:[let \x = y in M] -> E[[V/x]M] 

then 

A = P[ let \x^V \n M ] 

= E[{Xx.M)V] 

-^ K[[V/x]M] 

= E[ [V/x]M ] 

= E[[V/x]M . 

On the other hand if A = P[get(a;'')] | (x'' ^ V) then 

A = £:[get(r)] \ [r 4= V) 

= E[V] \{r<^V_). 

Notice that in this case we have an additional store (r -4= V_) which is the reason 
why in the definition of the relation S we relate a program to its translation in 
parallel with some additional store. D 
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Theorem 4 ([T). If R:-\-i P : (a,e) then all reductions starting from P 
terminate. 

Corollary 1 (termination). If R;T \-ai P '■ (o, e) then all reductions starting 
from P terminate. 

Proof. By contradiction. We have {P,P_) £ SriF and R;_\-iP_: (a, e). If there 
is an infinite reduction starting from P then the simulation lemma [11] entails 
that there is an infinite reduction starting form P. And this contradicts the 
termination of the intuitionistic system (Theorem 2]) . D 
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i?hr x:(u,A)eT ji^Y 



i?;rha;:(A0) i?;rh*:(l,0) 

i?; r, a; : (1, A) h M : {a, e) i?2; Tz h TV : (A, e") 



i?;rhAx.Af:(A^a,0) i?i W it;2;ri W r2 h MA^ : (a, e U e' U e") 

i? W i?' h (r tt) r') saff{R';r') i?i;ri hM: (!^,e) 

i?; r h A/ : (A, e) -^aff{R]T) i?2; Ta, a; : (oo, A) h (TV, e') : a 



i?l+li?';ri±)r'l- !Af : (!A,e) i?il±)i?2;ri l±) Ta h let !x = A-/ in TV : (a,eUe') 

i? h r x:{u, Reg^A) e T 
R;r,x: {u,Reg^A)h P : {a,e) r : {[v,v'],A) £ R v' ^ 



R;T h vx P : {a, e) i?;r h get(x) : (A, {r}) 

r = a: : (m, Reg^^) W r' V(r) T = a: : (u, Reg,,!^) W T' T'Cr) 

i? = r : ([i',w'],yl) Wi?' i; ^ R ^ r : {[v,v'],lA) m R' v^O 

R^T i?'; r h y : (A, 0) i? h T i?';r' h y : (!A, 0) 



i?; r h set(a;, F) : (1, {r}) i?; T h pset(a:, F) : (1, {r}) 

r = a; : (u, Reg^^) W r V(r) T ^ x : {u,RegJA) tiiV V{r) 

R^r:{[v,v'],A)^R' v^Q R = r ■.{[v,v%\A)\ii R' v^Q 

i?l-r R' -Vr V : {A,%) i?hr i?';r'hF: (!A,0) 



i?;rh (x^F) : (B,0) i?;r h (x ^ T/) : (B, 0) 

i?i;rihP:(a,e) i?,; T, h P, : (a„ e,) 

i?2; r2 h S" : (B, 0) P, not a store i = 1, 2 



Pi W P2; Ti W r2 h (P I 5) : (a, e) Pi W P2; Ti tt) r2 h (Pi | P2) : (B, ei U 62) 

Table 7: An affinc-intuitionistic type and effect system 

R'^ A<A' 

R\-a<a RhlA<\A' 

e C e' C dom{R) 
R^ A' < A Rh a<a' 



Rh {A^a)<{A' -o a') 

e^e'^dom{R) P; T h A/ : (a, e) 

Rha<a' Ph(a,e) <(a',e') 



Ph(a,e) < (a',e') P; T h A^ : (a', e') 

Table 8: Sub typing induced by effect containment 
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0h 
Rhl 



R^ A 



Rh\A 

Rh- r:{U,A)eR 

R h Reg^A Rh{a,e) 

Table 9: Formation of types and contexts (stratified) 



RhA 


r ^ dom[R) 


R,r 


:([/,A)h 




RV- 




RhB 


e C dom{R) 
Rh A Rha 


Rh 


{A^a) 


Rha 


e C dom{R) 



1 = 1, B = B, A^ a = A^ a. M = A Reg^A = Reg^^ 

ri : ([/i,Ai),...,r„ : ([/„, A^) = ri : Ai, . . . , r„ : A„ 

^^-^ — i- — [ J_ otlierwisc 

x = x, xl = r, * = *, Xx.M = Ax.M, MN_= MN_ 

IK^Ki let !.x = Af in JV = (Aa;.7V)M, i^x j\f = M, 

get(x'') = get(r), set(a;'',V^) = set(r,V:), pset(a;'',F) = pset(r,£), 

(x'- ^y) = (r -^y), (a;'- ^y) = (r -^j/), P | P' = P | £^ 



Table f 0: Forgetful translation 
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Syntax: terms 

x,y, . . . (Variables) 

r,s, . . . (Regions) 

V ::= X \ * \ r \ Xx.M (Values) 

M ::= V I MM \ get(V^) | pset(y, V) \ [M \ M) (Terms) 

S -.-.^ {r ^ v) \ [S \ S) (Stores) 

P::=M\S\[P\P) (Programs) 

E ■.:=[] I EM I VE (Evaluation Contexts) 

C ::= [ ] I (C I P){P I C) (Static Contexts) 

Operational semantics 

P\P' = P' \P (Commutativity) 

(P I P') \P" = P\ {P' I P") (Associativity) 

E[{Xx.M)V] ^ E[[V/x]M] 

E[get{r)],{r^V) ^ E[V],{r^V) 
E[pset{r,V)] -^ E[*],{r^V) 

Syntax: types and contexts 

a ::= ^ I B (Types) 

A -.-.^ 1 \ {A -% a) \ Reg^A (Value-types) 

r ::= xi : Ai, . . . ,Xn '■ An (Contexts) 

R ::= ri : Ai, . . . , r„ : An (Region contexts) 

Table 11: Intuitionistic system: syntactic categories and operational semantics 
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Stratified region contexts and types 

R\- A r (^ dom{R) Rh Rh 



0h R,r : Ah Rhl RhB 

R\- A R\-a eC domjR) Rh r : A e R R\- a eC dom{R) 



Rh{A^a) Rh Reg,.A R h {a, e) 

SUBTYPING RULES 

Rh A' <A Rh a<a' 

-^^" e C e' C dom(R) 

Rh a<a 



Rh{A-^a)<{A' ^ a') 



R;i\-M:[a, e ) 



R\- (a,e) < (a',e') 

Terms, stores, and programs 
RhT x:AeT RhT r : A e R RhT 

R;rhx:{A,9) i?;r h r : (Reg,,yl, 0) i?;rh*:(l,0) 

R;T,x:AhM: (a, e) R;T h M : {A ^ a,ei) R;T h N : {A, 63) 

R;Th Xx.M : (^ 4 a, 0) i?; T h MN : (a, ei U 62 U eg) 

R-ThV : (Reg^^,0) R;T h V : {Reg^ A, 9) R;T h V : {A,(/}) 

R;Th- get(y) : {A, {r}) i?; T h pset(^, V) : (1, {r}) 

^^rH'^-^)^(^'«) i^;rV(P|.) (!!e) 

Pj not a store R]T \- Pi : {ai,ei), i = 1,2 
i?;rh(Pi |F2):(B,eiUe2) 

Tabic 12: Intuitionistic system: stratified types and effects 
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